[snowcrash]

please help me out, i've done everything i can possible do that i know how to do with out screwing anything up. i was on the newsgroups the other day and downloaded a file somehow with a bunch of files i had selected, and didn't know it. anyway, i saw it in my file folder, and opened it by mistake with out running a virus check on it. anyway, it was something like britney.scr or something like that i think. today and yesterday my computer started acting up sending out emails, and norton was keeping most of them from going out.

i've ran adaware, spybot search and destroy, norton, and stinger right now. i looked in my c:windows/system32 folder and there was svchost.exe. one was like 12.5kb(which i've read saying that is the correct one to have) and another one was svshost, a windows media file being like 59kb or something. i've ran a hijack this scan and saved the log. please help me out and let me know what i should delete and fix.

running stinger right now, it's come up with this, will update as it finishes:
Scan initiated:
C:\System Volume Infomations\_restore{C4A8D267-D1AB-4290-BEE2-E75D8D49ADCB}\RP286\A0032299.exe
Found the W32/Pate.dam virus!!!!
C:\System Volume Infomations\_restore{C4A8D267-D1AB-4290-BEE2-E75D8D49ADCB}\RP286\A0032299.exe could not be repaired.

thanks for any help!

Logfile of HijackThis v1.97.7
Scan saved at 10:09:09 PM, on 4/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Ascendis Software\Caller ID\CALLERID.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\SYSTEM32\svshost.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\movies4\stinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\movies4\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [rndll2] C:\program files\internet explorer\rndll2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [svshostdriver] svshost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs9_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29b1a1be7d8d9d729118/netzip/RdxIE6.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.gsu.edu/activex/AxisCamControl.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.4937037037
O16 - DPF: {BA00165E-C903-11D3-BD27-0050048A82BF} (eShare Technologies NetAgent Customer ActiveX Control) - http://ec112.ecicorp.com/netagent/objects/CustAppX.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

 

[Byteman]

Hi, The infected files are in the RESTOR volume, and in order to fix that, you MUST delete all restore points....method:

http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Don't see any other serious problems in your log.
Get rid of Restore Points as it tells you... come back, post a fresh log from HJThis if you like, and then you should be scanning virus free...check that before you post, OK? You then, after a clean scan, can create New Restore Point.

 

[Flrman1]

Hi Byteman. Our paths haven't crossed in a while. You doing OK?

Mind if I butt in here!

And Hi snowcrash

Welcome to TSG!

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [rndll2] C:\program files\internet explorer\rndll2.exe

O4 - HKLM\..\Run: [svshostdriver] svshost.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29b1a1be7d8d9d...tzip/RdxIE6.cab

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\program files\internet explorer\rndll2.exe file
The C:\WINDOWS\SYSTEM32\svshost.exe file

*Note: There is a file in C:\Windows\System32 that looks similar to svshost.exe. That file is svchost.exe. The svchost.exe file is legit. DO NOT delete it. Delete svshost.exe

 

[Byteman]

Hi Mark (flrman1) yeah, doing OK but it is spelled W-O-R-K !! That and I have had some bronchitis spells that last a long time. Lately I have time to find a couple of posters that have no reply and get them started out-- usually late at night and then off to bed.
I'm working as my carpenter "alter ego' days, plus the pc work locally in off time- lately folks have been bringing in two at a time to get running, so it's a time thing mostly!
Last nite I wrestled with win2k Pro till 4 a.m., could not find a good driver for several modems I had around, but worked it out. Ended up tweaking the Services so it could restart in under 7 minutes... The computer was running 2kPro on a 300mhz PII with 192mb RAM, and very poky except hooked up to my cable ISP.
Hey nice of you to ask if things were Ok Mark!

 

[Flrman1]

Good luck with the bronchitis. Good to see you!

 

[snowcrash]

thanks alot for the help, computer seems to be running a lot better now.

 

[Flrman1]

You're Welcome! :up:

 

[Flrman1]

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".